Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 11:43
Static task
static1
Behavioral task
behavioral1
Sample
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
fa39a305180ccfd7fe227d94f463f900
-
SHA1
a97c990b46b5ff05b46dc6778a6f79b92c2618d8
-
SHA256
3e6e256f7b7d79667eceba8888a26457124a33e09adc8d4bb8bc883335acd4b0
-
SHA512
4fee67879b3fcb4ec4f16c52dd7d5b87618e4f8af61bc2517062e8a31124ad18b2ac6f7a095bfeafb0d09ad22d4294d856d453dd22b585c32bbb27a5605cbbf0
-
SSDEEP
6144:yFiODSVo8MrfuwkDvRBFyV9tDH6VdIa3aLHbufFrXj+SRrhW+QE5jUQyygegclqR:yswSGF2w3EzxBlK
Malware Config
Extracted
warzonerat
akwz.mypets.ws:2849
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1152-1-0x00000000005F0000-0x0000000000744000-memory.dmp warzonerat behavioral1/memory/1152-4-0x0000000001F80000-0x0000000002A80000-memory.dmp warzonerat behavioral1/memory/1152-20-0x00000000005F0000-0x0000000000744000-memory.dmp warzonerat behavioral1/memory/2728-30-0x0000000000770000-0x00000000008C4000-memory.dmp warzonerat -
Drops startup file 2 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 2728 images.exe -
Loads dropped DLL 1 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exepid process 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe -
NTFS ADS 1 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exedescription ioc process File created C:\ProgramData:ApplicationData fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2732 powershell.exe 1616 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exeimages.exedescription pid process target process PID 1152 wrote to memory of 2732 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe powershell.exe PID 1152 wrote to memory of 2732 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe powershell.exe PID 1152 wrote to memory of 2732 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe powershell.exe PID 1152 wrote to memory of 2732 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe powershell.exe PID 1152 wrote to memory of 2728 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe images.exe PID 1152 wrote to memory of 2728 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe images.exe PID 1152 wrote to memory of 2728 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe images.exe PID 1152 wrote to memory of 2728 1152 fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe images.exe PID 2728 wrote to memory of 1616 2728 images.exe powershell.exe PID 2728 wrote to memory of 1616 2728 images.exe powershell.exe PID 2728 wrote to memory of 1616 2728 images.exe powershell.exe PID 2728 wrote to memory of 1616 2728 images.exe powershell.exe PID 2728 wrote to memory of 1636 2728 images.exe cmd.exe PID 2728 wrote to memory of 1636 2728 images.exe cmd.exe PID 2728 wrote to memory of 1636 2728 images.exe cmd.exe PID 2728 wrote to memory of 1636 2728 images.exe cmd.exe PID 2728 wrote to memory of 1636 2728 images.exe cmd.exe PID 2728 wrote to memory of 1636 2728 images.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa39a305180ccfd7fe227d94f463f900_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QLY0EQ0DNB53Q4YIHYLI.temp
Filesize7KB
MD5371d1ecda1ce5dbb8e39cb2997ecfadb
SHA15ae74c2afff940103de4b5d5bd25688cb8b5d509
SHA256284d2cbdcfc182f23a569b5ee47f8479a17e5a14c5ea0deead1fb84c321bd25b
SHA512f235cedd51a16143bfdd53092903035618efcb08433f247dc7f2875f374f46908616d1106e58c60fe3d780f9d2cc3c72d175d65cf1058ff8c6fb2e86306fa4e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD588fcb0a3c9ea3ecb1572ca97779303b9
SHA1268b18db1b2c7a0e6f832c444a9aab17d3140a07
SHA256b6def0004b5a8349b128a12ac55ec78340ac4f7cc53d232ae79ebe67e279a87d
SHA512e74d839102cfc0598a3a20ac3e900ce83807de2fbb7acdfd3312a8911fad047c6907333ad23c1de6f714e1390afda535a70404ae5993a62ccb8208958bda5d1c
-
Filesize
1.3MB
MD5fa39a305180ccfd7fe227d94f463f900
SHA1a97c990b46b5ff05b46dc6778a6f79b92c2618d8
SHA2563e6e256f7b7d79667eceba8888a26457124a33e09adc8d4bb8bc883335acd4b0
SHA5124fee67879b3fcb4ec4f16c52dd7d5b87618e4f8af61bc2517062e8a31124ad18b2ac6f7a095bfeafb0d09ad22d4294d856d453dd22b585c32bbb27a5605cbbf0